My Macbook's MAC Address has been compromised

Discussion in 'macOS' started by TheYoungHustla, Apr 16, 2009.

  1. TheYoungHustla macrumors newbie

    Joined:
    Apr 16, 2009
    #1
    Hello, I'm a new member here and need you guy's help. I've taken many steps since March of this year to keep my wireless network from being hacked, from upgrading to WPA from WEP, changing the password, MAC Filtering(which I found out is useless), and decreasing the transmit channel. Then sometimes I would see my Mail.app launch on it's own, and decided to use Little Snitch. I noticed a lot of things going on that were still connecting to my computer w/o any apps running at all, just by being connected to the internet. Especially things trying to connect to Finder and a lot of connections in mDNSResponder(shows all things connected to wireless network)(usually shows about 6 connections!!!). I'm on Comcast, and they require us to use these Netgear routers that are distributed by them that do not currently have WPA2 enabled. So, I log into my router and decided to add 'Parental Controls' with websites that had keywords "porn", "murder", "sex", etc. Since I'm the only one that really uses my home network, so I suppose, and I don't associate myself with any websites that deal with murder, sex or porn, this would possibly exposed if my network was STILL compromised. And after checking the 'Parental Control Internet Activity Log' from logging into my router connected to the Comcast Home Networking system, I noticed constant attempts to access sites w/ porn, and sex. It shows the time and the MAC address that attempted to connect to the website. Now this perv has used my MAC address and is using that to access my wireless network. I've tried changing my MAC Address by following some tutorial online using Terminal, but it went back to my original MAC address once I restarted..Not to say someone here can successfully guide me to change my MAC Address, then hide it, to stop this..I need to figure out how to eliminate this problem, ONCE AND FOR ALL.....hopefully the experts here at MacRumors can help me.

    Current setup:
    Macbook Pro
    Leopard 10.5.6
    Comcast Home Network
    WPA
     
  2. coolbits macrumors member

    Joined:
    Nov 1, 2006
    #3
    Did you download CS4 or iWork lately? :) It could be that trojan thats connecting from your mac...
     
  3. milk242 macrumors 6502a

    Joined:
    Jun 28, 2007
    #4
    Try connected straight to the router via cable and turn off wireless network to see if your wireless network is actually compromised. If it isn't compromised, you probably have a trojan.
     
  4. ewilson6 macrumors 6502

    Joined:
    Nov 30, 2006
    #5
    go into your router settings and change your dhcp server settings, change the ending address to something like 2 or 3. this will only let 2-3 computers access your network regardless of the other settings. if you only have one computer then change this number to 2. One is for router and 2 will be your computer connecting to the router.

    this will block all other users trying to access your wifi or direct connect network.
     
  5. Jethryn Freyman macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
    #6
    WPA is secure as long as you use a long, non-dictionary password.

    If someone has the storage space and computing power to brute force a strong WPA key, they'll know how to defeat MAC address spoofing (it's simple.)

    If you suspect a trojan, you could download something like iAntiVirus to do a scan of your system (but backup your data first.)
     
  6. TheYoungHustla thread starter macrumors newbie

    Joined:
    Apr 16, 2009
    #7
    Wow..thanks for the help so far...

    No I don't have kids.
    Didn't know any Trojans or any type of virus was floating around on Mac's
    I have downloaded Photoshop & Flash CS4, but they're legit directly from the Adobe website, non-pirated software.

    Ok, I've tried that before, my MAC Address changed obviously because I was on an Ethernet cable, checked my 'Parental Control Internet Activity Log' and the constant attempts matched that MAC address as well.

    Comcast doesn't allow that option to change the DHCP server settings, it just says it's "enabled"


    Thanks for that tip, installed iAntivirus and nothing came up so far, while doing a full scan of my entire HD.

    I am using a long 26-character alphanumeric passphrase that is not something you can easily think of or is in the dictionary/encyclopedia.
    Let it be known, I'm also using FileVault, enabled Stealth Mode in my Firewall and under my sharing section in System Preference, I share NOTHING!
    EDIT:Screenshots removed
     
  7. ihabime macrumors 6502

    Joined:
    Jan 12, 2005
    #8
    Calm down, no one has hacked your computer, MAC address or wireless network, a few minutes reading the directions that go with little snitch and a couple of googles would have answered all your questions.

    Notice the giant icon in the upper left corner of the little snitch pop-up window? That's the icon of the program on your computer that is trying to open a port, below that it list the name and path of the program on your computer.

    In the first one it is the copy of word that you are running trying to connect to port 3368. Word does this in order to scan your network for other copies of Word or Office using the same license key. It's an anti-piracy measure.

    In the second and third screenshots your copy of iAntivirus is using nmblookup to check your network for Netbios or Samba directories to scan. Finder does the same thing, it calls nmblookup periodically to discover shared directories.

    The automountd access may have to do with timemachine or some other process on your machine looking for a shared directory.

    I'm not sure how comcasts parental controls work, but just because a website has the word porn or murder on it doesn't mean it is a pornsite, tons of websites have those words on them, even macrumors. They could well be false hits, or a normal website might have ads on it from servers that also serve ads to pornsites, so the adserver has gotten on comcasts blacklist.
     
  8. TheYoungHustla thread starter macrumors newbie

    Joined:
    Apr 16, 2009
    #9
    Thanks for taking the time to explain that to me..
    In the final portion of what I read, I don't have TimeMachine installed or any type of backup/storage device, so idk where that's coming from. why would anything be looking for a shared directory in the first place if I don't have anything set to share in my Sharing settings of System Prefereces?
    And those attempts pop up once I connect to my network; without even opening up a browser (I've tested this and didn't open up a browser for a few hours and the attempts happened during that time), and stops whenever I disconnect from Airport. I just find all of this wierd, that's all. The Mail.app opening on it's own and my settings being changed w/o me doing it myself is what had me suspicious.
     
  9. VPrime macrumors 68000

    VPrime

    Joined:
    Dec 19, 2008
    Location:
    London Ontario
    #10
    .. It is not useless.. You probably never set it up correctly. :rolleyes:
     
  10. TheYoungHustla thread starter macrumors newbie

    Joined:
    Apr 16, 2009
    #11
    Oh I set it up correctly, it's just that many would agree w/ me that many immoral hackers will go out of their way and "sniff" for Mac addresses and spoof their own to get onto your network...
     
  11. emt1 macrumors 65816

    Joined:
    Jan 30, 2008
    Location:
    Wisconsin
    #12
    It is useless. So is WEP. WPA can be useless if you use a weak password.
     
  12. Consultant macrumors G5

    Consultant

    Joined:
    Jun 27, 2007
    #13
    You are looking at the wrong problem.

    Sounds like you have installed some kind of trojan.

    If someone has access to your computer via a trojan, changing your MAC address will not change anything.

    Backup your data and reinstall the system.
     
  13. VPrime macrumors 68000

    VPrime

    Joined:
    Dec 19, 2008
    Location:
    London Ontario
    #14
    If you are using it as your main security option obviously. :rolleyes: .. It has many other uses.
    use it along with WPA for one thing.

    You could also use it to easily seperate networks. So one user on your network does not have access to another subnet.

    Calling it outright useless is incorrect. It has its uses.
     
  14. Saladinos macrumors 68000

    Saladinos

    Joined:
    Feb 26, 2008
    #15
    It doesn't do anything for security, in any combination of encryption methods. MAC addresses are broadcast and are easy to spoof.
     
  15. VPrime macrumors 68000

    VPrime

    Joined:
    Dec 19, 2008
    Location:
    London Ontario
    #16
    It is usually enough to stop the typical person trying to steal your wireless..

    same could be said about any encryption. WPA can be cracked in minutes, the number of people that use dictionary words for the WPA password is insane.
    If some one wants in they will get in. But usually if the typical person looking for free wifi cant get in by the first few attempts they move along.
     
  16. snowmoon macrumors 6502a

    snowmoon

    Joined:
    Oct 6, 2005
    Location:
    Albany, NY
    #17
    mDNSresponder is, essentially, "Bonjour" which is used by devices on the same network to talk to each other by name. This includes your router, laptop, and anything else including non-computer internet devices.

    Anther dumb question... do you have Parallels, VMware, or VirtualBox?
     
  17. TheYoungHustla thread starter macrumors newbie

    Joined:
    Apr 16, 2009
    #18
    I had VMware Fusion, before I did a clean install about a month or so ago. And it was constantly trying to connect online to with something like "vmnet". Now I just have the stock apps and installed Reason 4 from the Software package, and CS4 directly from Adobe. Most of the time, I don't even have those apps running at all.
     
  18. ihabime macrumors 6502

    Joined:
    Jan 12, 2005
    #19
    The open ports are part of how bonjour, netbios and samba work, even if you don't have anything shared they will open a port to listen on your network for services shared by other computers. They aren't a symptom of any trojan or hacking, just your OS doing what it is supposed to.

    The only settings you mentioned changing back was your MAC address, can you post a link to how you did this? It may not have been a permanent change.

    Mail.app opening by itself is odd, but there have been a couple of posts here about that happening, but nothing definitive.

    Try checking your System Preferences->Accounts->Login Items and make sure Mail is not listed there.

    You can also try trashing a couple of preference files.
    Home Directory->Library->Preferences->com.apple.loginitems.plist
    Home Directory->Library->Preferences->com.apple.mail.plist
    Drag them to the trash, but don't empty the trash, then reboot and see if the problem persists.
     
  19. TheYoungHustla thread starter macrumors newbie

    Joined:
    Apr 16, 2009
    #20
    OK, I've did a clean install and archive install since March and now I've been back to a fresh install of Leopard for about a week now...

    Gotta question tho,
    [​IMG]
    What does this IP address starting w/ fe80: mean?
    The other 192.168.0.1 is Comcast (I guess, since it's always there at all time) and 192.168.0.3 is my iMac. But that "fe80.." IP address kept popping up like it was actively using my network and never seen that before
    BTW, the last "chic-cns" is Comcast (Pretty sure of that one)

    But I'm too confused about that "fe80:" what does that IP address mean? Only two of my computers are connected(Macbook Pro & iMac) and both have a 192.168... IP address
     
  20. emt1 macrumors 65816

    Joined:
    Jan 30, 2008
    Location:
    Wisconsin
    #21
    I believe the fe80 IP address is an IPv6 address.
     
  21. Jethryn Freyman macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
  22. TheYoungHustla thread starter macrumors newbie

    Joined:
    Apr 16, 2009
    #23
    Thanks...so I shouldn't have anything to worry about, in that situation, right?
     
  23. SuperMacFan macrumors newbie

    Joined:
    Mar 19, 2009
    #24
    Correct :)
     
  24. McKnight macrumors member

    McKnight

    Joined:
    Mar 29, 2009
    #25
    Just a side note, WPA is proof of concept cracked. You should use WPA2 for actual security.
     

Share This Page